Salt PKI fixes

salt/files/_acl.conf

@@ -0,0 +1,4 @@
+
+peer:
+  .*:
+    - x509.sign_remote_certificate

salt/files/_peer.conf

@@ -0,0 +1,6 @@
+{% from "salt/map.jinja" import master with context %}
+
+peer:
+{%- for peer_name,peer_rules in master.peer.items() %}
+  {{ peer_name }}: {{ peer_rules }}
+{%- endfor %}

salt/master/service.sls

@@ -15,6 +15,20 @@ salt_master_packages:
   - watch_in:
     - service: salt_master_service
 
+{%- if master.peer is defined %}
+
+/etc/salt/master.d/_peer.conf:
+  file.managed:
+  - source: salt://salt/files/_peer.conf
+  - user: root
+  - template: jinja
+  - require:
+    - pkg: salt_master_packages
+  - watch_in:
+    - service: salt_master_service
+
+{%- endif %}
+
 salt_master_service:
   service.running:
   - name: {{ master.service }}
@@ -26,4 +40,4 @@ salt_master_service:
   - mode: 755
   - makedirs: true
 
-{%- endif %}
+{%- endif %}

salt/minion/ca.sls

@@ -4,9 +4,9 @@
 include:
 - salt.minion.service
 
-/etc/salt/minion.d/_signing_policies.conf:
+/etc/salt/minion.d/_pki.conf:
   file.managed:
-  - source: salt://salt/files/_signing_policies.conf
+  - source: salt://salt/files/_pki.conf
   - template: jinja
   - require:
     - pkg: salt_minion_packages

salt/minion/cert.sls

@@ -16,7 +16,7 @@ include:
 
 /etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.crt:
   x509.certificate_managed:
-  - ca_server: wst01.newt.cz
+  - ca_server: {{ cert.host }}
   - signing_policy: {{ cert.authority }}
   - public_key: /etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key
   - CN: {{ cert.common_name }}

tests/pillar/minion_pki_cert.sls

@@ -3,5 +3,6 @@ salt:
     enabled: true
     cert:
       test_service:
+        host: minion.with.ca
         authority: Company CA
-        common_name: test.service.domain.tld
+        common_name: test.service.domain.tld